Hackers bank heavily on tricking people into doing things that they shouldn’t: social engineering. A favorite social engineering ploy is the phishing e-mail.

How a hacker circumvents two-factor authentication:

First collects enough information on the victim to pull off the scam, such as obtaining information from their LinkedIn profile.

Or sends a preliminary phishing e-mail tricking the recipient into revealing login credentials for an account, such as a bank account.

The next phase is to send out a text message appearing to be from the recipient’s bank (or PayPal, Facebook, etc.).

This message tells the recipient that their account is about to be locked due to “suspicious” activity detected with it.

The hacker requests the victim to send the company (which is really the hacker) the unique 2FA code that gets texted to the accountholder upon a login attempt. The victim is to wait for this code to be sent.

Remember, the hacker already has collected enough information (password, username) to make a login attempt. Entering this data then triggers a send of the 2FA code to the victim’s phone.

The victim then texts back the code—right into the hacker’s hands. The hacker then uses it to get into the account.

The victim made the cardinal mistake of sending back a 2FA code via text, when the only place the victim is supposed to enter this code is the login field of their account when wanting to access it!

So in short, the crook somehow gets your password (easy with brute force software if you have a weak password) and username or retrieved in a data dump of some hacked site. They spoof their text message to you to make it look like it came from the company of your account.

Red flags/scams/behaviors/requests to look out for:

Pay Attention!

You are asked via phone/email/IM etc to send someone the 2FA code that is sent to your mobile (prompted by their login attempt).

If you receive the 2FA code, this means someone is trying to gain access to your account. If it’s not you, then who is it?

Never send any 2FA code out via text, e-mail or phone voice. Never. Consider any such request to be a scam.